[PATCH v3] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key

[PATCH v3] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key

[Feng Ning]

[-- Attachment #1.1: Type: text/plain, Size: 1591 bytes --]

The cfg80211 framework allows key sequence counters (NL80211_KEY_SEQ)
up to 16 bytes, but ieee_param.crypt.seq is a fixed 8-byte buffer.
When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
without checking seq_len, a heap buffer overflow of up to 8 bytes
occurs, overwriting adjacent fields key_len and key[].

Cap the copy length at the buffer size using min_t().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Feng Ning <feng@innora.ai>
---
Changes v2 -> v3:
  - Added changelog below the cut line (per patch-bot feedback)
  - No code changes from v2

Changes v1 -> v2:
  - Initial public submission to linux-staging mailing list

 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 7cb0c6f22..4fba53c2d 100644
--- a/drivers/staging/rtl8723bs/
os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -883,8 +883,11 @@ static int cfg80211_rtw_add_key(struct wiphy *wiphy, struct net_device *ndev,

 	param->u.crypt.idx = key_index;

-	if (params->seq_len && params->seq)
-		memcpy(param->u.crypt.seq, (u8 *)params->seq, params->seq_len);
+	if (params->seq_len && params->seq) {
+		size_t seq_copy = min_t(size_t, params->seq_len,
+				       sizeof(param->u.crypt.seq));
+		memcpy(param->u.crypt.seq, (u8 *)params->seq, seq_copy);
+	}

 	if (params->key_len && params->key) {
 		param->u.crypt.key_len = params->key_len;
--
2.43.0

[-- Attachment #1.2: publickey - Jiqiang Feng - 0x7D1A285E.asc --]
[-- Type: application/pgp-keys, Size: 693 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 322 bytes --]

Re: [PATCH v3] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key

[Luka Gejak]

On Wed Apr 8, 2026 at 5:00 PM CEST, Feng Ning wrote:
> The cfg80211 framework allows key sequence counters (NL80211_KEY_SEQ)
> up to 16 bytes, but ieee_param.crypt.seq is a fixed 8-byte buffer.
> When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
> without checking seq_len, a heap buffer overflow of up to 8 bytes
> occurs, overwriting adjacent fields key_len and key[].
>
> Cap the copy length at the buffer size using min_t().
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Signed-off-by: Feng Ning <feng@innora.ai>
> ---
> Changes v2 -> v3:
>   - Added changelog below the cut line (per patch-bot feedback)
>   - No code changes from v2
>
> Changes v1 -> v2:
>   - Initial public submission to linux-staging mailing list
>

...

Hi Feng,
thanks for v3, however this patch can not be accepted as is.
First, of all you should configure and use git send-email for submiting 
patches as your emails should be pure plaintext.
Secondly, your emails contain attachments which are not accepted for 
patches.
Thirdly, you should not include your gpg key because as I previously 
said no attachments.
Please read Documentation/process/submitting-patches.rst file for more 
info. Logic itself is sound.
Best regards,
Luka Gejak